Overview

overview

10

Static

static

10

599e153617...94.exe

windows7-x64

9

599e153617...94.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    599e153617b29456ad646496e8bd26261ae90534b96510179bd1b91167402394.exe

  • Size

    551KB

  • MD5

    3e21cdd07dc0b8976a9e5faaa736f96e

  • SHA1

    aa5c600fe6944908a62a230182edacb78b158cd4

  • SHA256

    599e153617b29456ad646496e8bd26261ae90534b96510179bd1b91167402394

  • SHA512

    4218f814b8b619bd6fe5f5ccaf7e9826b882e4e58d496fa609b83721449647e1edbb6f6593a518f8f781ec67eb60c647d5f1e4bd556c13827633bb3c6d56d1d7

  • SSDEEP

    12288:7tKe6Zv23YLVFhBsC8iFHSs7xPY1f6HriP1Gvjc09Fz5:v6Zv2ivhBVnFys7xP86LYGvjc09r

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\599e153617b29456ad646496e8bd26261ae90534b96510179bd1b91167402394.exe
    "C:\Users\Admin\AppData\Local\Temp\599e153617b29456ad646496e8bd26261ae90534b96510179bd1b91167402394.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe
    Filesize

    555KB

    MD5

    1b9a84c2e04879f5fa0373eab3ecb154

    SHA1

    48c07baf9bc2d839b0546a289e4fa006a6f36a91

    SHA256

    f65ca8d62b7feac37c4dba670daae799636a073e80342796c3c1ac38a3fa4d7d

    SHA512

    2cd30256e58b9eb3af815a460b3eab9847e73183ab9b8ba4aa54b6a681b47942d35c94e62f3c33e2418e65169e81bc1de24f34f371ee34566712aeec3713a5af

    Download Submit

  • C:\Windows\spoolsv.exe
    Filesize

    556KB

    MD5

    8a2ab8cf3c0eef6ff89d457f60f0f822

    SHA1

    ab4b4554aaee69ce0da32e2cbf2d2ef5d3577a9d

    SHA256

    617359d0ce6885be2be6bdb253d2391c960d17d8f36a8252746b8d28754dd7c7

    SHA512

    355ac4ca72951d7b3497279c45067daeeb391559f1689a2d031af81aff4fe7b395f34be13eeb519606e1f8ff4f061479b6b704d3b73592f922245e237cca12dd

    Download Submit

  • memory/2276-15-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2760-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2760-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download